What Is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. It’s the legislation that makes sure your protected health information (PHI) is kept private and kept secure. It covers how healthcare providers and associated businesses should keep handle your data and protect your health information, and provides the standards needed to ensure PHI data stored, handled, and accessed correctly at all times.
It also lays out the significant fines and penalties for individuals and organizations that handle sensitive PHI data but don’t comply with the standards.
What Counts As Protected Health Information?
- All your medical records, such as blood test results or an MRI scan.
- Billing records at the doctor’s office.
- Conversations (emails, notes) about your health between you and your doctor, your doctor and other medical staff, or your health provider and your insurance company.
Who Needs To Comply With HIPAA?
Initially only doctors, hospitals, and insurance companies needed to comply with HIPAA specifications, as they were the only people and organizations with access to PHI. These are known as Covered Entities and include any organization that provides “treatment, payment, and health care operations.”
Covered Entities include:
- Doctors and their offices
- Insurance companies
However, a 2013 update increased the scope of HIPAA to take into account the increased use of outsourcing and cloud providers in healthcare. Any service transmits, stores, or receives PHI data is now categorized as a Business Associate and has to comply with HIPAA.
Business Associates include:
- A medical transcription service providing services to a doctor.
- A SaaS company that provides cloud-based electronic health records for physicians.
- An analytics company that processes medical data.
What does HIPAA require?
For a covered entity or a business associate to be compliant with HIPAA law, they are required to do 4 things:
- Have safeguards so that PHI data is always protected.
- Restrict access to PHI data to only those people needed to accomplish the intended purpose.
- Have Business Associate Agreements (BAAs) in place with service providers to ensure security of PHI data.
- Have procedures and policies to limit access to PHI data, and training in place to teach employees and users about data security and privacy.
The HIPAA Security Rule
Of the 4 HIPAA rules (Security, Privacy, Enforcement, and Breach Notification) it’s the HIPAA Security Rule that developers have to pay close attention to.
For SaaS companies wanting to work with healthcare providers, medical organizations or business associates already working in the industry, the Security Rule sets out how PHI data must be handled by the app or service.
This rule lays out the Technical Safeguards that make sure access to data is controlled, that data is secure, and individuals are properly authenticated.
- Access Control. There must be policies and procedures in place to make sure only authorized users are allowed access to PHI data. This could include unique identifiers for each user, emergency access procedures, and encryption procedures.
- Audit Controls. Mechanisms should be in place to record activity in the system and examine access by individuals.
- Integrity Controls. Any PHI data should not be improperly altered or destroyed and procedures put in place so that auditors can confirm whether this has happened.
- Transmission Security. Security measures should be in place to make sure no unauthorized access to the PHI data happens as it is transferred over a network.
The Advantages of HIPAA Compliance
Using HIPAA standards opens you up to new customers in a growing market. 67% of healthcare organizations are currently using a SaaS service in their workflow, with 92% of healthcare providers saying that that they can see a future use for SaaS in their organization. By applying HIPAA standards, you can tap into the $3 trillion healthcare industry.
By working towards HIPAA compliance, you are able to market yourself to 3 new customer bases:
- Covered Entities
- 80% of physicians and 60% of hospitals are now using electronic health records (EHR). These companies require HIPAA compliance for any cloud service they use.
- Business Associates
- As well as the covered entities, other business associates who process PHI can be assured that your service will also protect any data. As the cloud market grows for healthcare, 3rd party solutions for business associates will be able to market themselves as business associates.
- Wearables & Health Technologies
- Though wearables don’t have to be HIPAA compliant currently, the trend towards sharing personal health data from wearables and apps means that these companies blur the lines between what does and doesn’t need to be HIPAA-compliant.
Using Auth0 For HIPAA Authentication
This allows companies to configure Auth0 as an identity and authentication service as one element of meeting their HIPAA compliance needs.